Major California marijuana dispensary STIIIZY had customer information from its Alameda, Modesto, and San Francisco stores compromised following a cyberattack against its third-party point-of-sale processing services vendor, according to The Record, a news site by cybersecurity firm Recorded Future.
Infiltration of the vendor's systems between October and November exposed not only individuals' names, ages, and addresses, but also photographs, medical cannabis cards, driver's license numbers, and passport numbers, said STIIIZY in a breach notice and filing with California regulators that did not detail the number of people whose data had been stolen. STIIIZY's disclosure comes more than a month after the incident was admitted to be conducted by the Everest ransomware operation, which touted the theft of over 422,000 records that was threatened to be leaked by early December. Everest ransomware, which specializes in extortion against organizations across various sectors, "is particularly skilled at avoiding detection by using encrypted communication channels and secure methods to obscure their activities," said Halcyon CEO Jon Miller.
